From c2ad27ed2c8e86d9a08badc1130406ddffc6cf36 Mon Sep 17 00:00:00 2001
From: Jessica Frazelle <acidburn@docker.com>
Date: Thu, 11 Feb 2016 13:44:00 -0800
Subject: [PATCH] update cap-add docs for seccomp

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Upstream-commit: 91d0d25ee4b82af40ad627810357d099983d6135
Component: cli
---
 components/cli/docs/reference/run.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/components/cli/docs/reference/run.md b/components/cli/docs/reference/run.md
index cab6098ce8..ba2fc2d918 100644
--- a/components/cli/docs/reference/run.md
+++ b/components/cli/docs/reference/run.md
@@ -1059,6 +1059,14 @@ one can use this flag:
     --privileged=false: Give extended privileges to this container
     --device=[]: Allows you to run devices inside the container without the --privileged flag.
 
+> **Note:**
+> With Docker 1.10 and greater, the default seccomp profile will also block
+> syscalls, regardless of `--cap-add` passed to the container. We recommend in
+> these cases to create your own custom seccomp profile based off our
+> [default](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json).
+> Or if you don't want to run with the default seccomp profile, you can pass
+> `--security-opt=seccomp:unconfined` on run.
+
 By default, Docker containers are "unprivileged" and cannot, for
 example, run a Docker daemon inside a Docker container. This is because
 by default a container is not allowed to access any devices, but a